There is high CPU usage and a build-up of TMP files in the Data Loss Prevention Server, at the following location:

C:\users\<User Name>\appData\Local\Temp \DetectionServerContentExtraction\KP_xxxxxxxxxxxx (TMP Files)

This may occur after an upgrade.

By default, the ContentExtraction.TemporaryDirectory is not set in advanced settings. Therefore, the system creates a subdirectory with a prefix name "DetectionServerContentExtractionTemporary"

This incorrectly uses the mktemp api in Java to create the directory and passes on the name.

In some cases, such as with Network Monitor, the issue can prevent FileReader from starting.

DLP versions prior to 15.8.

1. From the Enforce server, open the Detection Server, click on the Server Settings button, and scroll down to the "ContentExtraction.TemporaryDirectory" field.
2. In the field, enter "C:\temp\TempCEHFiles".
3. Restart the Detection Server Monitor service.
4. On the Detection Server, remove/delete the DetectionServerContentExtraction folder.

This issue will be fixed in a future DLP release (most likely Orion, as per Etrack).

If FileReader is not starting, the issue is accompanied by the following:

• In the Enforce console the detection server shows as "Running Selected," as the FileReader is unable to start
• In the Enforce console, the detection server may reflect an error event code "2800" "Bad spool directory configured for Packet Capture"
• Pulling logs from the detection server, the FileReader logs contain the following entries:

Date: 3/12/2020 4:01:12 PM
Class: com.vontu.messaging.FileReaderSetup
Method: initialize
Level: SEVERE
Message:  (DETECTION.3) Failed to initialize Detection
java.lang.RuntimeException: Failed to create content extraction service temporary directory
 at com.vontu.cracker.jni.EngineContext.setupTemporaryDirectory(EngineContext.java:62)
 at com.vontu.cracker.jni.EngineContext.<init>(EngineContext.java:86)
 at com.vontu.cracker.NativeExtractionEngine.<init>(NativeExtractionEngine.java:82)
 at com.vontu.cracker.NativeExtractionEngine.<init>(NativeExtractionEngine.java:43)
 at com.vontu.detection.ExtractionEngineFactoryLoader.loadExtractorFactory(ExtractionEngineFactoryLoader.java:39)
 at com.vontu.messaging.FileReader.initializeContentExtractionServices(FileReader.java:620)
 at com.vontu.messaging.FileReader.start(FileReader.java:390)
 at com.vontu.messaging.FileReaderSetup.initialize(FileReaderSetup.java:105)
 at com.vontu.messaging.FileReader.main(FileReader.java:297)
Caused by: java.nio.file.AccessDeniedException: /opt/Symantec/DataLossPrevention/DetectionServer/15.5/Protect/bin/TempCEHFiles
 at sun.nio.fs.UnixException.translateToIOException(UnixException.java:84)
 at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
 at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
 at sun.nio.fs.UnixFileSystemProvider.createDirectory(UnixFileSystemProvider.java:384)
 at java.nio.file.Files.createDirectory(Files.java:674)
 at java.nio.file.Files.createAndCheckIsDirectory(Files.java:781)
 at java.nio.file.Files.createDirectories(Files.java:767)
 at com.vontu.cracker.jni.EngineContext.setupTemporaryDirectory(EngineContext.java:58)
 ... 8 more
Date: 3/12/2020 4:01:12 PM
Class: com.vontu.logging.LocalLogWriter
Method: write
Level: SEVERE
Message:  File Reader failed to start. Error starting File Reader. Failed to create content extraction service temporary directory No incidents will be detected.

Resolution:

Instead of only putting TempCEHFiles, please create a directory with TempCEHFiles anywhere in any drive like below:

C:\Program Files\Symantec\DataLossPrevention\DetectionServer\15.7\Protect\temp\TempCEHFiles\

or 

C:\TempCEHFiles\

Then paste this as a full location in the above step 2.